0
0
AwsHow-ToBeginner · 3 min read

How to Pull Docker Image from AWS ECR Easily

To pull an image from AWS ECR, first authenticate your Docker client with ECR using aws ecr get-login-password and then run docker pull with the full image URI. This ensures Docker can access the private ECR repository and download the image.
📐

Syntax

Follow these steps to pull an image from ECR:

  • Authenticate Docker to ECR: Use aws ecr get-login-password to get a password and login to your ECR registry.
  • Pull the image: Use docker pull <aws_account_id>.dkr.ecr.<region>.amazonaws.com/<repository_name>:<tag> to download the image.
bash
aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <aws_account_id>.dkr.ecr.<region>.amazonaws.com

docker pull <aws_account_id>.dkr.ecr.<region>.amazonaws.com/<repository_name>:<tag>
💻

Example

This example shows how to authenticate and pull the image my-app tagged latest from ECR in the us-west-2 region.

bash
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-west-2.amazonaws.com

docker pull 123456789012.dkr.ecr.us-west-2.amazonaws.com/my-app:latest
Output
Login Succeeded latest: Pulling from my-app Digest: sha256:abcdef1234567890 Status: Downloaded newer image for 123456789012.dkr.ecr.us-west-2.amazonaws.com/my-app:latest
⚠️

Common Pitfalls

  • Not authenticating Docker: Forgetting to run the login command causes permission errors.
  • Wrong region or account ID: Using incorrect AWS account ID or region in the image URI leads to "repository not found" errors.
  • Expired login token: The login token expires after 12 hours; re-authenticate if pull fails.
bash
## Wrong way (missing login):
docker pull 123456789012.dkr.ecr.us-west-2.amazonaws.com/my-app:latest

## Right way (with login):
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-west-2.amazonaws.com

docker pull 123456789012.dkr.ecr.us-west-2.amazonaws.com/my-app:latest
📊

Quick Reference

Remember these key points when pulling images from ECR:

  • Always authenticate Docker with aws ecr get-login-password before pulling.
  • Use the full image URI including AWS account ID, region, repository name, and tag.
  • Login tokens expire after 12 hours; re-run login if needed.

Key Takeaways

Authenticate Docker to ECR using AWS CLI before pulling images.
Use the full ECR image URI with account ID, region, repository, and tag.
Login tokens expire after 12 hours; re-authenticate as needed.
Incorrect region or account ID causes pull failures.
Always verify you have permission to access the ECR repository.

Related by keyword

How to Rotate AWS Access Keys Safely and EasilyIAMHow to Delete a File from AWS S3 Bucket EasilyS3Enable Server Side Encryption on AWS S3 Buckets EasilyS3How to Enable Versioning in AWS S3 Buckets EasilyS3How to Sync a Folder to AWS S3 Using AWS CLIS3

Up next

Fanout Pattern with SNS and SQS: How It Works and When to UseWhat is AWS SNS: Simple Notification Service ExplainedCloudWatch vs CloudTrail: Key Differences and When to Use EachHow to Create a CloudWatch Alarm in AWS

More in ECS and EKS

ECS EC2 vs ECS Fargate: Key Differences and When to Use EachECS vs EKS: Key Differences and When to Use EachHow to Create an ECS Cluster on AWS: Simple StepsHow to Create an AWS EKS Cluster: Step-by-Step Guide